WordPress Security: 7 Tips to Keep Your WordPress Site Secure

The following is a guest post by Devin Morrissey. Devin
writes in his garage and examines car parts in his office. He
aspires to be an eternal student, writing wherever the web takes
him.

WordPress is the platform that more sites on the web are built
on than any other, and for good reason. The platform is versatile,
powerful, and user-friendly. Contrary to
popular WordPress myths, it is about more than just blogging;
it involves customer relationship management and even
e-commerce.

Visual page builders and simple post editors mean that the most
seasoned designer or the earliest beginner can set up, design, and
maintain a site with little effort. Initially, the setup is free,
but custom themes and important plugins will cost the user
something.

In our interconnected world, cybersecurity
is a vital part of keeping information out of the wrong hands.
Simply because it is so popular, WordPress also can be a frequent
target for hackers. One reason is that many users do not understand
how to use the powerful security tools that come with WordPress.
Often a site is poorly maintained but has valuable information
inside — information hackers can use to steal identities or
simply take control of the site. Some
use WordPress sites as practice to hone their hacking
skills.

It is important that you, the site owner, take action to make
sure your website is secure. How do you protect your sites from
hackers and keep your data and that of your customers safe? Here
are seven important tips.

1. Update and Limit Themes

When you login to your
WordPress dashboard, you will see a tab for plugins. If there is a
red number by it, it means your themes need to be updated. While
often neglected, this is an important part of site maintenance.
Most of these updates have something to do with security or bug
fixes, things you want to take care of anyway.

However, it is also important that you delete themes you are not
using. These can be a path for hackers to get into your site
security. If you are only using a single theme, like the popularDivi
Builder or even a custom theme built by your web designer,
delete the others from your list.

2. Update and Limit Plugins

Updating and limiting plugins is also important to the speed of
your site. Be careful here though. Some plugins are designed for
security, and you will want to leave those active. However, too
many security plugins used at the same time can conflict with each
other, causing issues rather than preventing them.

Delete plugins you are not using. Research and use the
best security plugins for you — ones that will not conflict
with each other, but don’t use more than one to accomplish the
same task. When you have a little red number next to your plugins
menu item, update them. The updates are like those for themes and
are important.

3. Understand and Set File and Directory Permissions

This is another common problem for site owners.
File and directory permissions are set in your cPanel, and if
you don’t understand them, get help from your web developer.
There are codes for each file and directory that determine who can
access them. 777 permissions are the most common for directories
but the least secure. Use 750 or 755 for directories, 640 or 644
for files, and 600 for your wp-config.php file.

This method will help keep hackers out of the backdoor of your
site.

4. Change Passwords Often

This should be a given about any password but is especially true
about your WordPress site, especially your primary administrator
account. First, don’t use the username “admin” anywhere on
your site. If you write content for your site, use an author
profile with lower levels of permission so a hacker cannot easily
find your primary username.

Use a
password generator when possible if you are changing passwords.
LastPass, iCloud Keychain, and other password management systems
are all available browser extensions depending on the browser you
use or your operating system. Set an alert to change these at least
once a quarter, if not more often.

5. Add Two-Step Authentication

Two-step authentication is a good thing to add for many of your
passwords where possible. This includes things like your social
media, your banking website, and more. WordPress has this option
too.
How does two-step authentication help?

Essentially it makes a user who is logging in have not only
access to your password but to a device you own, like your phone,
tablet, or computer. For instance, when you log in, a text code is
sent to you that you must enter. Without it, you cannot get into
your site. It is a great way to defeat all but the most determined
hackers.

6. Enable Firewalls

Many people find firewalls to be annoying when surfing the web,
as often you will have to whitelist sites and go through other
inconveniences, but security is not always about convenience.
Having your firewall enabled
on your computer, especially the machine where you primarily
run your site, is an essential part of security and another layer a
hacker will have to get through before they have access to your
information.

Always, always, always keep your firewall enabled, and never
turn it off at the request of anyone or any site. It’s dangerous
and a good way to put yourself in digital harm’s way.

7. Limit Login Attempts and Get Alerts

Ah, one of the primary ways to keep many hackers out of your
site: limit login attempts. This means if they are trying to guess
your password — even using a program that tries several passwords
in a row — after only a few attempts, the account they are trying
to access will be locked temporarily, and none of their continued
attempts will work even if they accidentally get the password
right.

You can also
set up your site to alert you when an attack is happening. The
alert, usually via email, will tell you what user name they are
attempting to use, how many attempts they have made in a certain
amount of time, and even the IP address the attacks are coming
from. That IP address will be blocked from making future
attempts.

Bonus: You’re Hacked: Now What?

Despite all of the best practices, almost any site can be
hacked, but if you act
quickly when it happens, you can help limit the damage. Here
are some quick steps:

Change your password.

Contact your host, or IT if you are self-hosting, to make sure
they know about the attack and prevent it from spreading to other
sites or elsewhere on the host.

Contact your web developer. Have them go through the code on
your site to make sure nothing malicious is left behind.

Another pro tip: Be sure your site is backed up so that you can
recover all your data at least before the last backup. Catastrophe
is rare, but it does happen, and a backup can really save the
day.

Your website is the backbone of your business, and it is
probably designed on a WordPress platform. To make sure it is
secure, follow these steps, and do a security checkup often. Keep
things up to date, and be sure to understand and follow good
security protocols. Your site will be secure, and so will the data
you store there.